feat: add redeemer rule support across permissions

[mj-kiwi]

Description

Add a redeemer rule

{
  "type": "redeemer",
  "data: {
    "addresses": Address[]
  }
}

Get Supported Permissions

{
  "native-token-stream": {
    "chainIds": [
      1,
      4114,
      4217,
      80002,
      80069,
      80094,
      5115,
      84532,
      338,
      6342,
      25,
      8453,
      10143,
      10200,
      56,
      14601,
      1301,
      1328,
      1329,
      97,
      100,
      421614,
      130,
      560048,
      137,
      143,
      146,
      10,
      42161,
      42170,
      42220,
      42431,
      11142220,
      11155111,
      11155420,
      59144
    ],
    "ruleTypes": [
      "expiry",
      "redeemer"
    ]
  },
  "native-token-periodic": {
    "chainIds": [
      1,
      4114,
      4217,
      80002,
      80069,
      80094,
      5115,
      84532,
      338,
      6342,
      25,
      8453,
      10143,
      10200,
      56,
      14601,
      1301,
      1328,
      1329,
      97,
      100,
      421614,
      130,
      560048,
      137,
      143,
      146,
      10,
      42161,
      42170,
      42220,
      42431,
      11142220,
      11155111,
      11155420,
      59144
    ],
    "ruleTypes": [
      "expiry",
      "redeemer"
    ]
  },
  "erc20-token-stream": {
    "chainIds": [
      1,
      4114,
      4217,
      80002,
      80069,
      80094,
      5115,
      84532,
      338,
      6342,
      25,
      8453,
      10143,
      10200,
      56,
      14601,
      1301,
      1328,
      1329,
      97,
      100,
      421614,
      130,
      560048,
      137,
      143,
      146,
      10,
      42161,
      42170,
      42220,
      42431,
      11142220,
      11155111,
      11155420,
      59144
    ],
    "ruleTypes": [
      "expiry",
      "redeemer"
    ]
  },
  "erc20-token-periodic": {
    "chainIds": [
      1,
      4114,
      4217,
      80002,
      80069,
      80094,
      5115,
      84532,
      338,
      6342,
      25,
      8453,
      10143,
      10200,
      56,
      14601,
      1301,
      1328,
      1329,
      97,
      100,
      421614,
      130,
      560048,
      137,
      143,
      146,
      10,
      42161,
      42170,
      42220,
      42431,
      11142220,
      11155111,
      11155420,
      59144
    ],
    "ruleTypes": [
      "expiry",
      "redeemer"
    ]
  },
  "erc20-token-revocation": {
    "chainIds": [
      1,
      4114,
      4217,
      80002,
      80069,
      80094,
      5115,
      84532,
      338,
      6342,
      25,
      8453,
      10143,
      10200,
      56,
      14601,
      1301,
      1328,
      1329,
      97,
      100,
      421614,
      130,
      560048,
      137,
      143,
      146,
      10,
      42161,
      42170,
      42220,
      42431,
      11142220,
      11155111,
      11155420,
      59144
    ],
    "ruleTypes": [
      "expiry",
      "redeemer"
    ]
  }
}

Related issues

Fixes:

Manual testing steps

1. Go to this page...

Screenshots/Recordings

Before

After

redeemer.snap.mp4

Pre-merge author checklist

• I've followed MetaMask 7715 Permissions Snaps Contributor Docs and MetaMask 7715 Permissions Snaps Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Touches permission validation and delegation caveat generation (including a new enforcer address) and upgrades @metamask/delegation-core, so incorrect rule handling could change who can redeem granted permissions.

Overview
Adds a new redeemer rule (list of allowed redeemer addresses) across supported permission types, including schema validation, RPC-supported rule type reporting, and end-to-end tests.

In gator-permissions-snap, the grant flow now preserves the dapp-provided redeemer constraint (applyRedeemerRule), surfaces redeemer addresses as read-only in confirmation UI (RedeemerField + new i18n strings), and converts the rule into an on-chain RedeemerEnforcer caveat (new redeemerEnforcer contract address + appendRedeemerCaveatIfPresent). Expiry caveat construction is refactored into appendExpiryCaveatIfPresent and updated for the newer createTimestampTerms parameter names.

In the demo site, permission request forms gain an optional redeemer-addresses input (parsed/deduped to checksum addresses) and requests send redeemer to requestExecutionPermissions; clipboard JSON output is updated to safely stringify bigint values. Dependency bumps include @metamask/delegation-core and @metamask/smart-accounts-kit (lockfile updated accordingly).

^{Reviewed by Cursor Bugbot for commit 9886549. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​metamask/​smart-accounts-kit@​0.4.0-beta.0 ⏵ 1.3.0	+3		+6	+4
	@​metamask/​delegation-core@​0.3.0 ⏵ 1.1.0	+1		+1	+5

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Network access: npm openapi-fetch in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@metamask/smart-accounts-kit@1.3.0 → npm/openapi-fetch@0.13.8 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/openapi-fetch@0.13.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[jeffsmale90]

I reviewed the first half - will get back to the other half shortly!

[jeffsmale90]

Looking super good!

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit ec69bde. Configure here.}

[jeffsmale90]

Looking great!

[mj-kiwi]

@SocketSecurity ignore npm/openapi-fetch@0.13.8